Package com.microstrategy.web.filter

Class CrlfResponseFilter

java.lang.Object

com.microstrategy.web.filter.CrlfResponseFilter

All Implemented Interfaces:

javax.servlet.Filter

public class CrlfResponseFilter
extends java.lang.Object
implements javax.servlet.Filter

Centralized configuration of http response to avoid security issues. Fix: CWE-113 : Improper Neutralization of CRLF sequences in HTTP Headers (‘HTTP Response splitting’) When and why it’s happens? 1.While entering an data in an web application through an untrusted source, most frequently an HTTP requests. 2.This data’s is included in an HTTP response header and again sent to an user without being validated for malicious character (CRLF). Impact: An hacker might able to perform cross site scripting, phishing and cache poisoning attacks. The request sent by the hacker can be cached and displayed to all the user of the website. An final result, he can able to steal an sensitive data and attack an users by using the data. To enable this filter, add (if not already) the following <filter> declaration to WEB-INF/web.xml:

 <web-app ...>
  ...
  <filter>
    <filter-name>crlfResponseFilter</filter-name>
    <filter-class>com.microstrategy.web.filter.CrlfResponseFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>crlfResponseFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
 

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CrlfResponseFilter.CrlfResponseWrapper

Constructor Summary

Constructors

Constructor	Description
CrlfResponseFilter()

Method Summary

Modifier and Type	Method	Description
void	destroy()
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
static boolean	getIsRemoveCrlf()
void	init(javax.servlet.FilterConfig filterConfig)
static void	setIsRemoveCrlf(boolean enableRemoveCrlf)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CrlfResponseFilter

public CrlfResponseFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter

setIsRemoveCrlf

public static void setIsRemoveCrlf(boolean enableRemoveCrlf)

getIsRemoveCrlf

public static boolean getIsRemoveCrlf()